New California Connected Devices Law Dictates Security Features for Manufacturers

Aigerim Dyussenova, Esq.

Aigerim Dyussenova is with Twitter’s Legal Policy team, where she works on matters dealing with the U. S. and International laws regarding freedom of speech. She is the current Education Chair of the CLA BLS Internet and Privacy Law Committee. In her free time, she explores privacy laws and compliance and ubiquitous internet platform products that provide social networking.

The nation’s first bill regulating the Internet of Things (IoT) became operative January 1, 2020, in California.¹ The law requires manufacturers of IoT devices sold in California to provide reasonable security features appropriate to the nature of the device. Gartner Research predicted IoT growth from 6.4 billion devices in 2019 to 25 billion devices in 2020.² Any device sold in California after January 1, 2020, needs to comply with the law. In the 1990s, John Romkey created a toaster that could be turned on and off over the Internet, but ever since then, manufacturers have had no laws holding them accountable for IoT security protection.

Passing the California law was an ongoing work-in-progress, beginning in 2017, when California State Senator Hannah-Beth Jackson introduced the first draft as Senate Bill 327.³ California Assemblywoman Jacqui Irwin sponsored similar IoT legislation, Assembly Bill 1906, and read her first draft of that bill in 2018.⁴ The California Legislature reconciled the language of both bills. Each bill was contingent on passage of the other and included a provision to become operative in January2020.